New ZooPark APT targets Android users in Middle East since 2015

Security researchers from Kaspersky Lab have uncovered a new cyber-espionage APT group tracked ZooPark that targeted entities in the Middle East during the past three years.

ZooPark APT has been active at least since 2015 and has shown a growing level of sophistication across the years.

“ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.” reads the report published by Kaspersky

Hackers mainly used waterhole attacks as infection vector, the experts discovered several news websites that have been compromised to redirect visitors to a downloading site that delivered the final malware.

Most of the victims were located in Egypt, Jordan, Morocco, Lebanon, and Iran.

“Some of the malicious ZooPark apps are being distributed from news and political websites popular in specific parts of the Middle East. They are disguised as legitimate apps with names like ‘TelegramGroups’ and ‘Alnaharegypt news’, among others, recognized in and relevant to some Middle Eastern countries” reads the press release published by Kaspersky.

Experts identified 4 different phases in the activity of the group:

2015 – pretty simple malware

ZooPark hackers distributed a very simple variant of the Android malware that was only able to steal accounts details registered on the victim device and contacts from the address book. The malicious app was disguised as the official Telegram application.

2016 – lightweight spyware

ZooPark implemented new features for its malware focused on cyber espionage.

“This new version is similar to the previous. The main difference is the inclusion of newspying features such as exfiltrate GPS location, SMS messages, call logs and some extra general information” continues the report.

2016 – commercial fork

The APT fork a version of the Spymaster Pro commercial spyware app, experts noticed several similarities between the commercial malware and the APT Android malware.

The main difference is the usage of their own C&C server.

2017 – modern spyware

ZooPark developers dropped the 2016 version resulting from the commercial fork and added major changes and improvements to the 2016 lightweight spyware.

“This malware variant represents a significant improvement on version 2.0, which seems to indicate that version 3.0 was some kind of fork.” added Kaspersky.

Kaspersky speculates the latest version was improved with the code bought from firms offering surveillance software.

“This suggests the latest version may have been bought from vendors of specialist surveillance tools. That wouldn’t be surprising, as the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East.” concluded the report.